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International Patent Application 
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PCT/DO/EO/US 

International Filing bate: 27 April 1999 
Applicant: Klaus VEDDER 

For: METHOD FOR AUTHENTICATING A CHIP CARD IN A MESSAGE 
TRANSMISSION NETWORK 

PRELIMINARY AMENDMENT 

Assistant Commissioner for Patents 
Washington, D.C. 20231 

Sir: 

This paper accompanies documents submitted to establish the U.S. national 
stage of the above-identified international patent application. 

The international patent application was amended under PCT Article 34 and the 
claims as-amended are annexed to the international Preliminary Examination Report 
(IPER). 

Before calculation of the filing fee and before examination, kindly amend the 
claims as annexed to the IPER as follows: 
IN THE CLAIMS : 

Claim 3, line 1; delete "or 2"; 

Claim 4, line 1; change "any of claims 1 to 3" to -claim 1--; 
Claim 5, line 1 ; change "any of claims 1 to 4" to -claim 1»; 
Claim 6, line 1 ; change "any of claims 1 to 5" to -claim 1-; 
Claim 7, line 1 ; change "any of claims 1 to 5" to -claim 1-; 
Claim 8, line 1 ; change "any of claims 1 to 5" to -claim 1-~; 
Claim 9, line 1 ; change "any of claims 1 to 8" to -claim 1»; 
Claim 10, line 1; change "any of claims 1 to 9" to -claim 1--; 
Claim 11, line 1; change "any of claims 1 to 10" to -claim 1-; 
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REMARKS 

All rights are reserved to the original claimed subject matter. The claims have 
been amended to reduce the filing fees and to correct any improper multiple dependent 
claims. Examination of the application as amended is respectfully requested. 

:tfully submitted, 
THOMAS, PLLC 



BACON & THOMAS, PLLC 

625 Slaters Lane, Fourth Floor 
Alexandria, Virginia 22314 

Telephone: (703) 683-0500 
Facsimile: (703)683-1080 




IRNEST KENNEY 
\ttorney forApplicant 
Registration Number 19,179 



Date: November 5, 2000 
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Method for authenticating a smart card 
within a messaging network 

This invention relates to a method for authenticating a smart card in a messag- 
ing network, preferably a GSM network, according to the preamble of claim 1. 

In GSM systems it is known that for using the smart card (subscriber identity 
module, SIM) the user must usually first identify himself as an authorized user by 
means of a personal identification number (PIN). In order to avoid abuse at this 
point, it is known to provide an error counter for the PIN entry to prevent further use 
of the card after a permissible number of failed attempts is exceeded. 

A further system-relevant security measure is to authenticate the card vis-a-vis 
the mobile network. A secret key inaccessible from outside and an algorithm like- 
wise inaccessible from outside are stored in the card. For authentication a random 
number is generated by the network or a network component and transferred to the 
card. The card then calculates from the random number and secret key by means of 
the algorithm present in the card a response which it transfers to the network. This 
response is analyzed in the network and, if the result is positive, access to the net- 
work functions is allowed. The corresponding procedure is described in the relevant 
GSM specifications. 

A network protected as stated above involves the danger that attacks on the al- 
gorithm used for authentication permit the network to be simulated in a computer for 
example by e.g. selected "random numbers" being transmitted to the SIM card ac- 
cording to the standardized protocol and the secret key of the smart card being de- 
termined therefrom, after several authentication attempts. If the algorithm of the card 
is additionally known, essential functional elements of the card can be simulated or 
duplicated after determination of the secret key. 

It is therefore the problem of the invention to state a reliable method for 
authenticating a smart card in a messaging system wherein there is no acknowledg- 
ment of the authentication result to the subscribing smart card, as customary in the 
GSM network for example. 



This problem is solved according to the invention starting out from the features 
of the preamble of claim 1 by the characterizing features of claim 1. 

Advantageous embodiments of die invention are stated in the dependent claims. 

The invention provides for forming the authentication message by forming at 
least two parts from both the secret key and the random number transferred by the 
network, one of the parts of the transferred random number and one or more parts of 
the secret key being encrypted by means of a one- or multistep, preferably symmet- 
rical calculation algorithm. To' output an authentication message, a selectable part of 
the result calculated according to the authentication algorithm is transferred to the 
network. 

An advantageous embodiment of the invention provides for generating the 
channel coding key in the same way. There too it is provided that, if key and random 
number are split into two parts for example, either the first or the second part of the 
transferred random number is linked with the first and/or second part of the secret 
key with a one- or multistep algorithm in order to obtain a channel coding key. One 
preferably uses different parts of the random number obtained from the network for 
forming the authentication message and the channel coding key in each case. 

A further advantageous embodiment of the invention provides that the secret 
key stored in the card and the random number sent by the network to the card are 
split into equally long parts. This permits the same calculation algorithm to be used 
in both cases. The random number or secret key can be split by simply making a 
split "in the middle" or by creating overlapping partial areas. One can also effect a 
split by which the sum of the individual parts is smaller than the bit length of the 
random number or secret key. According to a further variant, a given number of bits 
of the random number or secret key can be combined into a key or random number 
part according to a predetermined pattern or pseudorandomly. 

As a further advantageous embodiment of the invention, one can use DES algo- 
rithms as calculation algorithms for authentication and for channel coding. 

Another advantageous variant of the invention provides for using the preferably 
one-step IDEA algorithm for calculating the authentication parameters and channel 
coding keys. 



Alternatively, one can calculate the authentication parameters and channel 
coding keys using compression algorithms, preferably cryptographic compression 
algorithms whose output values have a smaller length than the input parameters. 

To increase security it is advantageous to use an at least two-step calculation 
algorithm, whereby a triple DES algorithm proves especially safe. With this algo- 
rithm one first encrypts with a first part of the key and a part of the random number, 
then performs decryption of the result with the second part of the key, and finally 
executes a further calculation with the first part of the key again. For the last en- 
cryption with the first part of the key one can advantageously use a new, third key, 
in particular if the key is split into three key parts. 

A further advantageous embodiment of the invention results if the selection of 
the first or second part of the random number is effected alternatingly for authenti- 
cation and calculation of the channel coding, this alternation being executed ran- 
domly or pseudorandomly and the selection being effected in the same way in the 
card and the network. 

The invention will be described more closely in the following with reference to 
Figures 1 to 3. 

Fig. 1 shows the sequence of cryptographic functions of the SIM in the GSM 
network. 

Fig. 2 shows a block diagram of triple DES encryption. 

Fig. 3 shows examples of the split of the secret key and random number. 

The sequence shown in Fig. 1 assumes that the customary, preceding process 
of PIN verification has been completed. Subsequently, the mobile unit in which card 
SIM is located sends to the network a message which contains IMSI (international 
mobile subscriber identity) information or TMSI (temporary mobile subscriber iden- 
tity) information. Secret key Kj is determined from the IMSI or TMSI in the network 
according to a given function or by means of a table. The same key is also stored in 
smart card SIM in an inaccessible memory space. The secret key is required for later 
verification of the authentication process. 

The network then initiates the authentication process by calculating random 
number RAND and transferring it via the air interface to smart card SIM. 



Authentication parameter SRES is thereupon formed in the smart card by 
means of an authentication algorithm from secret key K t and random number RAND, 
said parameter being in turn transferred via the air interface to the network. Accord- 
ing to the invention, at least two random numbers RAND X and RAND 2 are derived 
from random number RAND. Random numbers RAND X and RAND 2 can be obtained 
by division or a selection from random number RAND or by a calculation algorithm. 

Authentication is effected with a two-step algorithm in the example according 
to Fig. 1. First, as indicated in Fig. 1, first part RAND X of the random number is en- 
crypted with first part K x of key K t likewise split into two parts. The result of said 
first step is subsequently encrypted in a second step with second part K 2 of the key. 
For calculation with the authentication algorithm one can of course also use second 
part RAND 2 of the random number first and change the order of using first and sec- 
ond key parts K\ and K 2 . 

Authentication parameter SRES is meanwhile likewise formed in the network 
in the same way as in the card by means of the authentication algorithm and random 
number RAND (RAND U RAND 2 ) and secret key Ki (K u K 2 \ Parameter SRES is then 
compared in the network with authentication parameter SRES obtained from the 
card. If authentication parameters SRES and SRES match, the authentication process 
is completed successfully. If the authentication parameters do not match, the sub- 
scriber's card is regarded as unauthenticated. It should be noted here that one can 
also form SRES or SRES using only parts of the result obtained by the encryption. 

In the same way as the authentication parameters are generated, key Kc for 
channel coding for data and speech transmission is generated in the card and the 
network. One preferably uses as the input parameter the part of random number 
RAND not used in authentication. 

Figure 2 shows an advantageous example by which calculation with the 
authentication algorithm and/or channel coding is executed by a triple DES algo- 
rithm. According to this algorithm, part RAND { or RAND 2 of the random number is 
first encrypted with first key part K\ . In the next step decryption is effected with K 2 . 
The result is then encrypted with A"i again or, if the random number/key is split into 



a plurality of parts, with a third part of the key. The channel coding is formed in the 
same way. The corresponding algorithms are used in the network in each case. 

Without restricting universality, the description of the examples according to 
Figs. 1 and 2 assumed a two- or three-step, symmetrical encryption algorithm. The 
inventive idea, which consists of splitting the random number and secret key, can of 
course also be executed with other, common encryption or calculation algorithms. 
By way of example, mention is made of not only the DES algorithms (A3; A8) but 
also IDEA. The stated algorithms can also be executed in one step, whereby differ- 
ent parts of the key and/or random number are preferably generated for authentica- 
tion and generation of channel coding key Kc. 

Figures 3a to e give examples of ways of splitting secret key K t or random 
number RAND. 

Figure 3a shows key K t or random number RAND with a length of 128 bits. 

Figure 3b shows a split into two equal parts K x and K 2 (RAND U RAND 2 \ the 
split being made in the middle. Part 1 contains bit 1 to bit 64, part 2 contains bit 65 
to bit 128. Figure 3c shows an overlapping split, and Figure 3d shows a split by 
which the odd bits are assigned to part 1 and the even bits to part 2. Figure 3e finally 
shows a split by which the sum of the bit positions of parts 1 and 2 is smaller than 
the bit positions of the initial key or random number. 



New patent claims 



1 . A method for authenticating a smart card (SIM) in a messaging network, pref- 
erably a GSM network, wherein an algorithm and a secret key are stored in a 
smart card (SIM), whereby for authentication 

the network or a network component first transfers a random number 
(RAND) to the smart card, 

a response signal (SRES) is generated therefrom in the smart card by 
means of the algorithm and the secret key (K t ) and transmitted to the net- 
work or network component, 
characterized in that 

to form the response signal (SRES) the secret key (K t ) and the random 
number (RAND) are each split into at least two parts (K u K 2 ; RAND U 
RAND 2 \ 

one of the parts (RAND U RAND 2 ) of the transferred random number 
(RAND) is encrypted with the aid of one or more parts (K u K 2 ) of the se- 
cret key (Ki) by means of a one- or multistep, preferably symmetrical al- 
gorithm. 

2. A method according to claim 1, characterized in that a given number of bits is 
selected from the encryption result and transferred as a signal response (SRES) 
to the network. 

3. A method according to claim 1 or 2, characterized in that the secret key (Ki) 
and/or the random number (RAND) are split into two parts. 

4. A method according to any of claims 1 to 3, characterized in that a part of the 
transferred random number (R4ND) and one and/or more parts of the secret 
ke Y (Kd are used to calculate a channel coding key (K c ) by means of a one- or 
multistep algorithm, at least one part of the calculation result being used as the 
channel coding key (K c ). 
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5. A method according to any of claims 1 to 4 ? characterized in that the key (K t ) 
and the random number (RAND) are split into two equally long parts (K\, K 2 / 
RAND l9 RAND 2 \ 

6. A method according to any of claims 1 to 5, characterized in that DES algo- 
rithms are used to calculate the authentication parameters (SRES, SRES*) and/or 
the channel coding key (K c ). 

7. A method according to any of claims 1 to 5, characterized in that the, prefera- 
bly one-step, IDEA algorithm is used to calculate the authentication parameters 
(SRES, SRES) and/or the channel coding key (K c ). 

8. A method according to any of claims 1 to 5, characterized in that a compres- 
sion algorithm whose output value has a smaller length than the input parame- 
ter is used to calculate the authentication parameters (SRES, SRES*) and/or the 
channel coding key (jQ. 

9. A method according to any of claims 1 to 8, characterized in that the calcula- 
tion is effected in an at least two-step algorithm. 

10. A method according to any of claims 1 to 9, characterized in that a triple DES 
algorithm is used as an encryption algorithm, whereby one first encrypts with 
the first part (K\) of the key then decrypts with die second part (K 2 ) of the 
key (Kf) and thereupon encrypts again with the first part (K\) or a third part of 
the key (K t ). 

11. A method according to any of claims 1 to 10, characterized in that a selection 
of the first or second part of the random number (RAND) is effected in the 
same way in the card and the network in random or pseudorandom alternation. 
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Abstract 



The invention relates to a method for authenticating a smart card (SIM) in a 
messaging network, preferably a GSM network, wherein an optionally secret algo- 
rithm and a secret key are stored in a smart card (SIM), whereby for authentication 
the network or a network component first transfers a random number to the smart 
card, a response signal is generated in the smart card by means of the algorithm, the 
random number and the secret key, said signal being transmitted to the network or 
network component in order to check the authenticity of the card there. According to 
the invention both the secret key and the random number transferred by the network 
are split into at least two parts to form the authentication message, one part of the 
transferred random number and one or more parts of the secret key being encrypted 
by means of a one- or multistep, preferably symmetrical calculation algorithm. To 
output an authentication response, a selectable part of the encryption result is trans- 
ferred to the network. 
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Declaration for Patent Application and Appointment of Attorney 

As a below named inventor, I hereby declare that my residence, post office address and citizenship are as stated below next to my 
name; I believe that*I am the original, first and sole inventor (if only one name is listed below) or an original, first and joint inventor (if plural 
names are Listed below) of the subject matter which is claimed and for which a patent is sought on the invention (Design, if applicable) entitled: 
METHOD FOR AUTHENTICATING A CHIP CARD IN A MESSAGE TRANSMISSION NETWORK 



as U.S. Application Number or PCT 



the specification of which (check one): 

□ is attached hereto, or K was filed on: 27 April 1999 
International Application Number: 09/673,658 

and (if applicable) was amended on: 
I hereby state that I have reviewed and understand the contents of the above-identified specification, including the claims, as amended by any 
amendment(s) referred to above. I acknowledge the duty to disclose information which is material to patentability as defined in Title 37, Code 
of Federal Regulations, §1.56. I hereby claim foreign priority benefits under Title 35, United States Code §119 of any foreign application(s) for 
patent or inventor's certificate listed below and have also identified below any foreign application for patent or inventor's certificate having a 
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1 HEREBY CLAIM THE BENEFIT UNDER TITLE 35 U.S. CODE §1 19(E) OF ANY U.S. PROVISIONAL APPLICATIONS LISTED BELOW. 


Application Number 


Day/Month/Year Filed 











□ Additional Provisional Application(s) Listed on Following Page(s) 

q I hereby claim the benefit under Title 35, United States Code, §120 of any United States application(s) or PCT international 

ipplication(s) designating The United States of America listed below and, insofar as the subject matter of each of the claims of this application is 
"not disclosed in that/those prior application(s) in the manner provided by the first paragraph of Title 35, United States Code, §11 2 J acknowledge 
the duty to disclose information which is material to patentability as defined in Title 3 7, Code of Federal Regulations, §1.56 which became 
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□ Additional US/PCT Priority Apphcation(s) listed on Following Page(s) 

I hereby declare that all statements made herein of my own knowledge are true and that all statements made on information and belief 
are believed to be true; and further that these statements were made with the knowledge that willful false statements and the like so made are 
punishable by fine or imprisonment, or both, under section 1001 of title 18 of the United States Code and that such willful false statements may 
jeopardize the validity of the application or any patent issued thereon. 

POWER OF ATTORNEY: I (We) hereby appoint as my (our) attorneys, with full powers of substitution and revocation, to prosecute 
this application and transact all business m the Patent and Trademark Office connected therewith: J. Ernest Kenney, Reg. Ne-12JLZ9; Eugene 
Mar, Reg. No . 25,893j jRichard E. Fichter, Reg. No^Zkl&ZLThomas j. Moore, Reg. N o, 28,974; Jo seph DeBenedictis, Reg. No_2&402^ 
Benjamin E. Urcia, Reg. No. 33.805 :_a nd 

I(we) authorize my(our) attorneys to accept and follow instructions from Klunker Schmitt-Nilson Hirsch regarding any matter 

related to the preparation, examination, grant and maintenance of this application, any continuation, continuation-in-part or divisional based 
thereon, and any patent resulting therefrom, until I(we) or my (our) assigns withdraw this authorization in writing. 

Send correspondence to: | BACON & THOMAS, PLLC I 
^ } 625 Slaters Lane - 4th Floor \ 

Alexandria, V A 22314-1176 



Telephone Calls to: J. Ernest Kenney (703) 683-0500 
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Citizenship 




Klaus VEDDER \ 
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Ainmillerstrasse 38, 80801 Munchen ^ermany 
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Date 

12/01/2000 


Signature / /A /? Jwi / 

x l/£m/ ( 





O See following page(s) for additional joint inventors. 



S:\Produchr\je;k\VEDDER - 673658\dec:laration. wpd 



